internal/govulncheck: add more comments for emitted OSVs

zpavlinovic · zpavlinovic · commit 03e66a609a8e · 2024-06-05T13:32:55.000Z
Change-Id: I268971d26368476c4eda5da032fdf56e5698042f Reviewed-on: https://go-review.googlesource.com/c/vuln/+/590515 TryBot-Result: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> Reviewed-by: Maceo Thompson <maceothompson@google.com>
diff --git a/internal/govulncheck/govulncheck.go b/internal/govulncheck/govulncheck.go
@@ -37,10 +37,15 @@ const (
 // Message is an entry in the output stream. It will always have exactly one
 // field filled in.
 type Message struct {
-	Config   *Config    `json:"config,omitempty"`
-	Progress *Progress  `json:"progress,omitempty"`
-	OSV      *osv.Entry `json:"osv,omitempty"`
-	Finding  *Finding   `json:"finding,omitempty"`
+	Config   *Config   `json:"config,omitempty"`
+	Progress *Progress `json:"progress,omitempty"`
+	// OSV is emitted for every vulnerability in the current database
+	// that applies to user modules regardless of their version. If a
+	// module is being used at a vulnerable version, the corresponding
+	// OSV will be referenced in Findings depending on the type of usage
+	// and the desired scan level.
+	OSV     *osv.Entry `json:"osv,omitempty"`
+	Finding *Finding   `json:"finding,omitempty"`
 }
 
 // Config must occur as the first message of a stream and informs the client
